GitHub - hugsy/sstoper: SSTP VPN client for Linux

This repository has been archived by the owner on Jun 24, 2023. It is now read-only.

Name		Name	Last commit message	Last commit date
Latest commit History 105 Commits
docs		docs
misc		misc
.gitignore		.gitignore
AUTHORS		AUTHORS
COPYING		COPYING
COPYING.OpenSSL		COPYING.OpenSSL
LICENSE		LICENSE
Makefile		Makefile
README		README
libsstp.c		libsstp.c
libsstp.h		libsstp.h
main.c		main.c
main.h		main.h
pem2der.c		pem2der.c
pem2der.h		pem2der.h

Repository files navigation

---[ SSToPer ]------------------------------------------------------------------
---[ SSTP Client for Linux ]----------------------------------------------------
---[ By Christophe Alladoum ]---------------------------------------------------


What is SSTP ?
--------------

Wikipedia says:
"Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a
mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL
provides transport-level security with key-negotiation, encryption and traffic
integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through
virtually all firewalls and proxy servers."
http://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol


What is SSToPer ?
-----------------

SSToPer is a SSTP client for Linux. It creates SSTP communications with any
Windows Server (2008+) having active service, and is used to establish VPN
communication  with Microsoft Server 2008 and above. Since SSTP is only a
wrapper over PPP communication, pppd (http://ppp.samba.org/) MUST be installed
with the synchronous HDLC serial encoding capability enabled.

Current SSToPer version DOES NOT support certification validation.

SSToPer spawns a pppd instance with noauth option that requires root
privilege. Hence, SSToPer must either be started as root, or have CAP_SETKILL
and CAP_SETUID. This can be done as root :
{{{
$ su -c "setcap cap_setuid,cap_kill+eip ./sstoper"
}}}


Features:
---------

- Establishes PPP based VPN through SSTP
- Proxy 
- HMAC-128/256 support
- (Opt.) Wireshark SSTP dissector provided to analyse SSTP behaviour


Pre-requisites:
---------------

- libcrypto (for hmac.h)
- libgnutls (for gnutls.h and other)
- libbsd (for util.h)
- HDLC-sync capable pppd must be installed
- root privileges on a 2.6 Linux kernel


Todo:
-----

- Certification validation



Installing Wireshark SSTP dissector:
------------------------------------

* Download Wireshark source from http://www.wireshark.org and un-tar archive
* Add "dissectors/packet-sstp.c" in DISSECTOR_SRC section inside `epan/CMakeLists.txt` file
* Add "packet-sstp.c" in DISSECTOR_SRC section inside `epan/dissectors/Makefile.common` file
* Copy sstoper/misc/packet-sstp.c -> wireshark/epan/dissectors/
* In wireshark/ root directory, execute :
{{{
   $ ./autogen.sh && ./configure --with-ssl && make
}}}
* You now have a SSTP-compliant Wireshark version (a simple SSTP negociation
  PCAP file is provided in misc/ directory) which can be started
{{{
   $ sudo ./wireshark  
}}}


SSTP Session example:
---------------------
- first you need your server PEM-formatted CA file. It can usually be obtained
  like this:
  -> Go to http://<server>/certsrv
     -> Click on "Download a CA certificate, certificate chain, or CRL" link
     -> Select "Base64" as "Encoding method" option
     -> Click on "Download CA certificate" link

- un-tar and compile sstoper
{{{
$ tar xf sstoper.tar.gz
$ cd sstoper && make
$ su -c "make install"
}}}

`install` directive will install sstoper binary by properly setting capabilities
so that it can be executed by any user.

- Execution with SSToPer with Linux capabilities
{{{
$ sstoper -s tweety.looney -c misc/vpn.tweety.looney.crt -U user1 -vv
Password:
[...]
2011-06-18 03:07:20  [!] Using default value: '443'
2011-06-18 03:07:20  [!] Using default value: '/usr/sbin/pppd'
2011-06-18 03:07:20  [+] Verbose level: 2
2011-06-18 03:07:20  [*] Starting ./sstoper as 7789
2011-06-18 03:07:20  [+] Connected to tweety:443
2011-06-18 03:07:20  [+] Dropping privileges
2011-06-18 03:07:20  [*] chdir-ed '/var/empty'
2011-06-18 03:07:20  [*] Switch user to 'nobody'
2011-06-18 03:07:20  [+] '/usr/sbin/pppd' forked with PID 7790
2011-06-18 03:07:20  [*] [7790] Waiting for SIGUSR1
[...]
2011-06-18 03:07:27  [*]  --> 112 bytes
2011-06-18 03:07:27  [+] status: CLIENT_CONNECT_ACK_RECEIVED (0x2) -> CLIENT_CALL_CONNECTED (0x3)
2011-06-18 03:07:27  [+] SSTP link established
2011-06-18 03:07:27  [*]  --> 8 bytes
2011-06-18 03:07:27  [*]  --> 22 bytes
[...]

(Hit Ctrl-C to close connection)

2011-06-18 03:07:44  [+] SSTP connection time: 22 sec
2011-06-18 03:07:44  [+] Sent 986 bytes, received 894 bytes
2011-06-18 03:07:44  [+] End of TLS connection, reason: Success.
$ 
}}}

Incrementing verbose option (0-3) will display more connection events. Level 3
will expose low-level details, such as crypto algorithm negociation, key
exchange, etc.

Actually working on Linux (tested Debian & Fedora), other system to be
supported. 


Comments/Bugs:
--------------
Please send me back comments and bugs to
<christophe __DOT__ alladoum __AT__ hsc __DOT__ fr>  with backtrace (using sstoper
-vvv options) and/or an strace output of the bug.


Changelogs:
-----------

06/2012 : migrating to GitHub public repository
06/2011 : 0.21 few bug fixes
03/2011 : 0.2 version adding capabilities, IPv6 support and many fixes.
11/2010 : 0.1 version adding better network handling.
10/2010 : first public release.


Thanks for using SSToPer !

License

Licenses found

hugsy/sstoper

Folders and files

Latest commit

History

Repository files navigation

About

Resources

License

Licenses found

Stars

Watchers

Forks

Languages